From 1eaff9a67088543ac76484bc36675c7c3fd51a45 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 25 Aug 2022 18:44:41 +1000
Subject: [PATCH] dnssec-signzone can now enable FIPS mode from the commandline

'dnssec-signzone -F' will now enable FIPS mode if supported
by the crypto provider and not already enabled.
---
 bin/dnssec/Makefile.am         | 13 +++++++++-
 bin/dnssec/dnssec-signzone.c   | 44 ++++++++++++++++++++++++++++++++--
 bin/dnssec/dnssec-signzone.rst |  8 ++++++-
 3 files changed, 61 insertions(+), 4 deletions(-)

diff --git a/bin/dnssec/Makefile.am b/bin/dnssec/Makefile.am
index 007c66f355..0017705a0d 100644
--- a/bin/dnssec/Makefile.am
+++ b/bin/dnssec/Makefile.am
@@ -37,4 +37,15 @@ dnssec_keygen_CPPFLAGS =	\
 
 dnssec_keygen_LDADD =		\
 	$(LDADD)		\
-	$(LIBISCCFG_LIBS)
+	$(LIBISCCFG_LIBS)	\
+	$(OPENSSL_LIBS)
+
+dnssec_signzone_CPPFLAGS =	\
+	$(AM_CPPFLAGS)		\
+	$(LIBISCCFG_CFLAGS)	\
+	$(OPENSSL_CFLAGS)
+
+dnssec_signzone_LDADD =		\
+	$(LDADD)		\
+	$(LIBISCCFG_LIBS)	\
+	$(OPENSSL_LIBS)
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 0a759cf9ef..82cb3d00d1 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -33,6 +33,8 @@
 #include <time.h>
 #include <unistd.h>
 
+#include <openssl/opensslv.h>
+
 #include <isc/async.h>
 #include <isc/atomic.h>
 #include <isc/attributes.h>
@@ -40,6 +42,7 @@
 #include <isc/commandline.h>
 #include <isc/dir.h>
 #include <isc/file.h>
+#include <isc/fips.h>
 #include <isc/hash.h>
 #include <isc/hex.h>
 #include <isc/loop.h>
@@ -85,6 +88,9 @@
 #include <dns/zoneverify.h>
 
 #include <dst/dst.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#include <openssl/provider.h>
+#endif
 
 #include "dnssectool.h"
 
@@ -3221,6 +3227,7 @@ usage(void) {
 	fprintf(stderr, "\t\tdirectory to find key files (.)\n");
 	fprintf(stderr, "\t-d directory:\n");
 	fprintf(stderr, "\t\tdirectory to find dsset-* files (.)\n");
+	fprintf(stderr, "\t-F:\tFIPS mode\n");
 	fprintf(stderr, "\t-g:\t");
 	fprintf(stderr, "update DS records based on child zones' "
 			"dsset-* files\n");
@@ -3362,6 +3369,10 @@ main(int argc, char *argv[]) {
 	bool set_optout = false;
 	bool set_iter = false;
 	bool nonsecify = false;
+	bool set_fips_mode = false;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+	OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
 
 	atomic_init(&shuttingdown, false);
 	atomic_init(&finished, false);
@@ -3651,8 +3662,9 @@ main(int argc, char *argv[]) {
 			break;
 
 		case 'F':
-			/* Reserved for FIPS mode */
-			FALLTHROUGH;
+			set_fips_mode = true;
+			break;
+
 		case '?':
 			if (isc_commandline_option != '?') {
 				fprintf(stderr, "%s: invalid argument -%c\n",
@@ -3721,6 +3733,25 @@ main(int argc, char *argv[]) {
 
 	isc_managers_create(&mctx, nloops, &loopmgr, &netmgr);
 
+	if (set_fips_mode) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+		fips = OSSL_PROVIDER_load(NULL, "fips");
+		if (fips == NULL) {
+			fatal("Failed to load FIPS provider");
+		}
+		base = OSSL_PROVIDER_load(NULL, "base");
+		if (base == NULL) {
+			OSSL_PROVIDER_unload(fips);
+			fatal("Failed to load base provider");
+		}
+#endif
+		if (!isc_fips_mode()) {
+			if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+				fatal("setting FIPS mode failed");
+			}
+		}
+	}
+
 	result = dst_lib_init(mctx, engine);
 	if (result != ISC_R_SUCCESS) {
 		fatal("could not initialize dst: %s",
@@ -4104,6 +4135,15 @@ main(int argc, char *argv[]) {
 		isc_mem_stats(mctx, stdout);
 	}
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+	if (base != NULL) {
+		OSSL_PROVIDER_unload(base);
+	}
+	if (fips != NULL) {
+		OSSL_PROVIDER_unload(fips);
+	}
+#endif
+
 	isc_managers_destroy(&mctx, &loopmgr, &netmgr);
 
 	if (printstats) {
diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst
index c10c61b7f9..4eff7aadf5 100644
--- a/bin/dnssec/dnssec-signzone.rst
+++ b/bin/dnssec/dnssec-signzone.rst
@@ -21,7 +21,7 @@ dnssec-signzone - DNSSEC zone signing tool
 Synopsis
 ~~~~~~~~
 
-:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
+:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
 
 Description
 ~~~~~~~~~~~
@@ -71,6 +71,12 @@ Options
    engine identifier that drives the cryptographic accelerator or
    hardware service module (usually ``pkcs11``).
 
+.. option:: -F
+
+   This options turns on FIPS (US Federal Information Processing Standards)
+   mode if the underlying crytographic library supports running in FIPS
+   mode.
+
 .. option:: -g
 
    This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``